Friday, October 28, 2005

Michael Boman has just posted a short article in which he details some open source tools he uses for "exploit engineering" on the Windows platform. I'm not as familiar with the Windows development tools as I am with their Unix counterparts, but I might have to try some of these myself.

Thursday, October 27, 2005

As some of you know, I've been wanting to meet more infosec pros in my local area (sounds like the beginning of a 900 number ad). I started by volunteering as a SANS Local Mentor, and that worked very well, but now I'm going to take the next step.

I've been working with the fine folks at Sourcefire to help me create a local Snort Users Group, and I'm finally ready to announce our first meeting!

The speaker for our inaugural meeting will be Sourcefire's Jason Brvenik, who will fill us in on the new target-based IDS technology that they are incorporating into the open source Snort code.

By the way, don't let the group's name fool you. Even if you're not interested in Snort itself, please consider attending anyway. Most Snort user groups cover a variety of security-related topics, and that's what I want for this one, too. So if you want to meet some of your peers in an informal setting and learn some of the newest happening in the security world, HRSUG is for you!

Please pass the word, and contact me (david vorant com) if you'd like any more information.

Monday, October 24, 2005

My experience tells me that a lot of people are still confused over the differences between risks, threats and vulnerabilities. In fact, even security pros (who should know better) often find themselves misusing the terms in casual conversation. The following simple analogy may help clarify the situation:

Imagine that you are going on a trip. While packing your suitcase, you realize that you need to bring some shampoo. Your shampoo has a flip top, not a screw top, and so you're concerned that if you pack your bag too full, the airport baggage handlers might treat your bag roughly, exerting excess pressure on the bottle and popping the top. Shampoo could spurt all over your stuff!

In this scenario, you have a vulnerability (the flip top shampoo bottle which might not survive a good squeeze). The threat is that baggage handlers are not known for being gentle. The risk is that your clothes might get doused with shampoo.

Change any one of these conditions and you don't have anything to worry about. If you remove the vulnerability by taking a screw top bottle instead, your clothes will be fine because even the baggage monkeys can't rupture a properly made bottle (you hope). Similarly, if you decide to carry your luggage on, you can probably avoid the baggage handlers altogether, and you will naturally be more careful with your own bag.

While we're on the subject, let's carry the analogy a bit further and talk about countermeasures. There are four basic types of countermeasures: Preventative, Reactive, Detective and Administrative. Preventative countermeasures work by keeping something from happening in the first place. In the example above, enclosing the bottle in a rigid plastic box would certainly help keep it from being crushed, and would count as a preventative countermeasure.

A reactive countermeasure comes into play after an event has already occurred. If you arrived at your hotel and found that your clothes were, in fact, covered with goo, you could make use of the hotel's laundry to correct the problem. This would be an example of a reactive countermeasure.

I can't really think of a realistic example of a detective measure here (a shampoo sniffing dog?) so finally, an administrative countermeasure uses policy to protect an asset. In this case, you could attempt to avoid the situation by making it your policy to rely on the hotel's shampoo, thus removing your need to bring your own.

I hope this has made things a little more clear. It is the combination of the vulnerability (the flip top shampoo bottle) and the threat (baggage monkeys at the airport) that creates a risk (to the clothes). You can attempt to use various countermeasures to bring the risk down to acceptable levels, or you could simply accept the risk and move on.

Of course, as I am a devious person, I might choose to take a different option. I can always transfer the risk by packing the shampoo in my wife's bag. I'll leave you to do your own risk analysis for that one...

Friday, October 21, 2005

The Los Angeles Times is running a great behind-the-scenes story on Nigerian 419 scams, entitled I Will Eat Your Dollars. I think this is the best thing I've ever read on the subject, as it follows an actual scammers in Lagos. The story goes into detail on how the scammer, Stephen (19 yrs old), got into the business and why it was so attractive to him and his colleagues. If you have any interest at all in the subject, you really should read this article.

I've said that I find this very disturbing, and here's why: the government has neither the right nor the legitimate need to track arbitrary documents printed by its citizens. Frankly, this is the sort of thing I expect to hear about China, not the US.

Thursday, October 06, 2005

What an interesting idea. this article's thesis is that pentest results can potentially be used against the company that ordered the test. In court, opposing counsel could use them to argue that the company failed to exercise due dillegence in protecting its assets.

The solution? Have your attorney arrange the pentest, and then the results will be covered under attorney-client privilege.

This is kind of a neat legal "hack", but it's kinda sad that this could be necessary. Pentests are all about exercising due dillegence, not ignoring it. At least, if a company properly follows through on the response to the findings, which is not always the case. So if you're planning to ignore the results of your next test, read this article.